Numerical Computations and Formal Methodsmelquion/doc/09-raim3-expose.pdf · Floyd-Hoare logic and...
Transcript of Numerical Computations and Formal Methodsmelquion/doc/09-raim3-expose.pdf · Floyd-Hoare logic and...
Program verification Formal arithmetic Decision procedures
Numerical Computations and Formal Methods
Guillaume Melquiond
Proval, Laboratoire de Recherche en InformatiqueINRIA Saclay–IdF, Universite Paris Sud, CNRS
October 28, 2009
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures
Numerical Computations and Formal Methods
1 Deductive program verification
2 Computing in a formal system
3 Decision procedures for arithmetic theories
4 Conclusion
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
Deductive Program Verification
1 Deductive program verificationFloyd-Hoare logic and weakest preconditionsA framework for program verification: WhyGappa
2 Computing in a formal system
3 Decision procedures for arithmetic theories
4 Conclusion
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
Hoare Triple
Definition (Hoare triple)
{precondition} code {postcondition}.
Meaning of correctness:If the precondition holds just before the code is executed,the postcondition holds just after it has been executed.
Note: the definition assumes the code terminates.If it does not, any postcondition holds, including False.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
Hoare Triple
Definition (Hoare triple)
{precondition} code {postcondition}.
Meaning of correctness:If the precondition holds just before the code is executed,the postcondition holds just after it has been executed.
Note: the definition assumes the code terminates.If it does not, any postcondition holds, including False.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
Hoare Triple
1 { x >= 0 }2 y = floor(sqrt(x))3 { y >= 0 and y*y <= x < (y+1)*(y+1) }
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
Weakest Precondition
Definition (Weakest precondition)
R is the weakest precondition of a code C and a postcondition Qiff any correct triple {P} C {Q} satisfies P ⇒ R.
A function behaves correctly (modulo termination)if its specification can be expressed as a correct triple.
How to verify it?
Compute the weakest precondition (Dijkstra, 1975)from the function and its specified postcondition.
Prove that the specified precondition implies the weakest one.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
Weakest Precondition
Definition (Weakest precondition)
R is the weakest precondition of a code C and a postcondition Qiff any correct triple {P} C {Q} satisfies P ⇒ R.
A function behaves correctly (modulo termination)if its specification can be expressed as a correct triple.
How to verify it?
Compute the weakest precondition (Dijkstra, 1975)from the function and its specified postcondition.
Prove that the specified precondition implies the weakest one.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
Weakest Precondition
Definition (Weakest precondition)
R is the weakest precondition of a code C and a postcondition Qiff any correct triple {P} C {Q} satisfies P ⇒ R.
A function behaves correctly (modulo termination)if its specification can be expressed as a correct triple.
How to verify it?
Compute the weakest precondition (Dijkstra, 1975)from the function and its specified postcondition.
Prove that the specified precondition implies the weakest one.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
A Framework for Program Verification: Why
Why is a minimal system:
small ML-like programming language,
small specification language.
Why is an intermediate environment:
it computes weakest preconditions;
it generates VCs for provers, interactive or not.
Various tools translate programing languages (C, Java)to the ML language.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
A Framework for Program Verification: Why
Why is a minimal system:
small ML-like programming language,
small specification language.
Why is an intermediate environment:
it computes weakest preconditions;
it generates VCs for provers, interactive or not.
Various tools translate programing languages (C, Java)to the ML language.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
A Framework for Program Verification: Why
Why is a minimal system:
small ML-like programming language,
small specification language.
Why is an intermediate environment:
it computes weakest preconditions;
it generates VCs for provers, interactive or not.
Various tools translate programing languages (C, Java)to the ML language.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
Environment
Coq PVS
Isabelle Mizar
HOL4 HOL light
Alt-Ergo
(Yices, Z3, CVC3)
SMT-lib
Simplify
Harvey Zenon Gappa
Why
Frama-C
Jessie
annotatedC program
annotatedJava/JML prog.
Interactive provers Automated provers
Krakatoa Caduceus
ML program
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
Toy Example: Cosine Around Zero
1 /*@ requires \abs(x) <= 0x1p -5 ;2 @ ensures \abs(\ result - \cos(x)) <= 0x1p -23; */3 float toy_cos(float x) {4 // @assert \abs(1.0-x*x*0.5 - \cos(x)) <= 0x1p -24;5 return 1.0f - x * x * 0.5f;6 }
“\result” is the value returned by the function, that is:1− 0.5 · x2 with all the operations rounded to nearest binary32.
Safety: none of the operations overflow nor are invalid.
Correctness: the result is almost the mathematical cosine.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
Frama-C/Jessie/Why + Gappa
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
Verifying Arithmetic Properties
Kind of properties:
Precondition validity:
no overflow: ∀~x , f (~x) ∈ D;
no domain error: ∀~x , d(f (~x), g(~x), · · · ) ∈ D.
Accuracy of results:
absolute error: ∀~x , f (~x)− g(~x) ∈ E ;relative error: ∀~x , ∃ε, f (~x) = g(~x)× (1 + ε).
Language of formulas:
intervals with nonsymbolic bounds,
expressions with mathematical operators (e.g., ×, tan) androunding operators (e.g., b·c).
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
Verifying Arithmetic Properties
Kind of properties:
Precondition validity:
no overflow: ∀~x , f (~x) ∈ D;no domain error: ∀~x , d(f (~x), g(~x), · · · ) ∈ D.
Accuracy of results:
absolute error: ∀~x , f (~x)− g(~x) ∈ E ;relative error: ∀~x , ∃ε, f (~x) = g(~x)× (1 + ε).
Language of formulas:
intervals with nonsymbolic bounds,
expressions with mathematical operators (e.g., ×, tan) androunding operators (e.g., b·c).
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
Verifying Arithmetic Properties
Kind of properties:
Precondition validity:
no overflow: ∀~x , f (~x) ∈ D;no domain error: ∀~x , d(f (~x), g(~x), · · · ) ∈ D.
Accuracy of results:
absolute error: ∀~x , f (~x)− g(~x) ∈ E ;
relative error: ∀~x , ∃ε, f (~x) = g(~x)× (1 + ε).
Language of formulas:
intervals with nonsymbolic bounds,
expressions with mathematical operators (e.g., ×, tan) androunding operators (e.g., b·c).
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
Verifying Arithmetic Properties
Kind of properties:
Precondition validity:
no overflow: ∀~x , f (~x) ∈ D;no domain error: ∀~x , d(f (~x), g(~x), · · · ) ∈ D.
Accuracy of results:
absolute error: ∀~x , f (~x)− g(~x) ∈ E ;relative error: ∀~x , ∃ε, f (~x) = g(~x)× (1 + ε).
Language of formulas:
intervals with nonsymbolic bounds,
expressions with mathematical operators (e.g., ×, tan) androunding operators (e.g., b·c).
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
Verifying Arithmetic Properties
Kind of properties:
Precondition validity:
no overflow: ∀~x , f (~x) ∈ D;no domain error: ∀~x , d(f (~x), g(~x), · · · ) ∈ D.
Accuracy of results:
absolute error: ∀~x , f (~x)− g(~x) ∈ E ;relative error: ∀~x , ∃ε, f (~x) = g(~x)× (1 + ε).
Language of formulas:
intervals with nonsymbolic bounds,
expressions with mathematical operators (e.g., ×, tan) androunding operators (e.g., b·c).
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
Gappa
Input: logical formula about expressions on real numbers.Output: “Yes” and a formal proof, or ”I don’t know”.
Method: saturation over a set of theorems.
Naive interval arithmetic:u ∈ [u, u] ∧ v ∈ [v , v ]⇒ u + v ∈ [u + v , u + v ].
Floating-/fixed-point arithmetic properties:u ∈ 2−1074 · Z⇒ ∃ε ∈ [−2−53, 2−53], ◦(u) = u × (1 + ε).
Forward error analysis:u× v −u× v = (u−u)× v + u× (v − v) + (u−u)× (v − v).
. . .
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
Gappa
Input: logical formula about expressions on real numbers.Output: “Yes” and a formal proof, or ”I don’t know”.
Method: saturation over a set of theorems.
Naive interval arithmetic:u ∈ [u, u] ∧ v ∈ [v , v ]⇒ u + v ∈ [u + v , u + v ].
Floating-/fixed-point arithmetic properties:u ∈ 2−1074 · Z⇒ ∃ε ∈ [−2−53, 2−53], ◦(u) = u × (1 + ε).
Forward error analysis:u× v −u× v = (u−u)× v + u× (v − v) + (u−u)× (v − v).
. . .
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
Gappa
Input: logical formula about expressions on real numbers.Output: “Yes” and a formal proof, or ”I don’t know”.
Method: saturation over a set of theorems.
Naive interval arithmetic:u ∈ [u, u] ∧ v ∈ [v , v ]⇒ u + v ∈ [u + v , u + v ].
Floating-/fixed-point arithmetic properties:u ∈ 2−1074 · Z⇒ ∃ε ∈ [−2−53, 2−53], ◦(u) = u × (1 + ε).
Forward error analysis:u× v −u× v = (u−u)× v + u× (v − v) + (u−u)× (v − v).
. . .
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures WP Why Gappa
Gappa
Input: logical formula about expressions on real numbers.Output: “Yes” and a formal proof, or ”I don’t know”.
Method: saturation over a set of theorems.
Naive interval arithmetic:u ∈ [u, u] ∧ v ∈ [v , v ]⇒ u + v ∈ [u + v , u + v ].
Floating-/fixed-point arithmetic properties:u ∈ 2−1074 · Z⇒ ∃ε ∈ [−2−53, 2−53], ◦(u) = u × (1 + ε).
Forward error analysis:u× v −u× v = (u−u)× v + u× (v − v) + (u−u)× (v − v).
. . .
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Computing in a Formal System
1 Deductive program verification
2 Computing in a formal systemType theory and proofs by reflectionSome formalizations of arithmetic in Coq
3 Decision procedures for arithmetic theories
4 Conclusion
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Example: Peano’s Arithmetic
Inductive definition of natural numbers:
type nat = O | S of nat (∗ 5 = SSSSSO ∗ )
Axioms for addition:addO:
a
∀b, O + b = baddS: ∀a b, (S a) + b = a + (S b)
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Example: Peano’s Arithmetic
Deductive proof of 4 + (2 + 3) = 9: (9 steps)
9 = 9reflexivity
0 + 9 = 9addO
.... addS× 44 + 5 = 9
4 + (0 + 5) = 9addO
4 + (1 + 4) = 9addS
4 + (2 + 3) = 9addS
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Introducing Computations into Proofs
Recursive definition of addition:
let rec plus x y =match x with| O -> y| S x’ -> plus x’ (S y)
Lemma plus xlate: ∀a b, a + b = plus a b
Proof of 4 + (2 + 3) = 9: (4 steps)
9 = 9reflexivity
plus 4 (plus 2 3) = 9???
4 + (plus 2 3) = 9plus xlate
4 + (2 + 3) = 9plus xlate
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Introducing Computations into Proofs
Recursive definition of addition:
let rec plus x y =match x with| O -> y| S x’ -> plus x’ (S y)
Lemma plus xlate: ∀a b, a + b = plus a b
Proof of 4 + (2 + 3) = 9: (4 steps)
9 = 9reflexivity
plus 4 (plus 2 3) = 9???
4 + (plus 2 3) = 9plus xlate
4 + (2 + 3) = 9plus xlate
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Type Theory and Conversion
Curry-Howard correspondence and type theory:
1 Proposition A holds if the type A is inhabited.
2 Convertible types have the same inhabitants.p : A
p : BA ≡β B
Proof of 4 + (2 + 3) = 9: (4 steps)
p : 9 = 9reflexivity
p : plus 4 (plus 2 3) = 9β-reduction
4 + (plus 2 3) = 9plus xlate
4 + (2 + 3) = 9plus xlate
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Type Theory and Conversion
Curry-Howard correspondence and type theory:
1 Proposition A holds if the type A is inhabited.
2 Convertible types have the same inhabitants.p : A
p : BA ≡β B
Proof of 4 + (2 + 3) = 9: (4 steps)
p : 9 = 9reflexivity
p : plus 4 (plus 2 3) = 9β-reduction
4 + (plus 2 3) = 9plus xlate
4 + (2 + 3) = 9plus xlate
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Encoding Expressions
Inductive definition of expressions on natural numbers:
type expr = Nat of nat | Add of expr * exprlet rec interp_expr e =
match e with| Nat n -> n| Add (x, y) ->
(interp_expr x) "+" (interp_expr y)
Proof of 4 + (2 + 3) = 9:
???interp expr (Add (Nat 4, Add (Nat 2, Nat 3))) = 9
4 + (2 + 3) = 9β-reduction
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Evaluating Expressions
Evaluating expressions on natural numbers:
let rec eval_expr e =match e with| Nat n -> n| Add (x, y) ->
plus (eval_expr x) (eval_expr y)
Lemma expr xlate: ∀e interp expr e = eval expr e
Proof of 4 + (2 + 3) = 9:
9 = 9reflexivity
eval expr (Add (Nat 4, . . .)) = 9β-reduction
interp expr (Add (Nat 4, . . .)) = 9expr xlate
4 + (2 + 3) = 9β-reduction
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Evaluating Expressions
Evaluating expressions on natural numbers:
let rec eval_expr e =match e with| Nat n -> n| Add (x, y) ->
plus (eval_expr x) (eval_expr y)
Lemma expr xlate: ∀e interp expr e = eval expr e
Proof of 4 + (2 + 3) = 9:
9 = 9reflexivity
eval expr (Add (Nat 4, . . .)) = 9β-reduction
interp expr (Add (Nat 4, . . .)) = 9expr xlate
4 + (2 + 3) = 9β-reduction
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Relational Operators
Equality is usually a native concept, while comparisons are not.
Comparing natural numbers:
let rec le x y =match x, y with| O , _ -> true| S _ , O -> false| S x’, S y’ -> le x’ y’
Lemma: ∀a∀b le a b = true ⇔ a ≤ b
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Encoding Comparisons
Inductive definition of relations on natural expressions:
type prop = Le of expr * exprlet interp_prop p =
match p with| Le (x, y) ->
(interp_expr x) "<=" (interp_expr y)let eval_prop p =
match p with| Le (x, y) -> le (eval_expr x) (eval_expr y)
Proof of 4 + (2 + 3) ≤ 5 + 6:
true = true reflexivity
eval prop (Le (Add . . . , Add . . .)) = trueβ-reduction
interp prop (Le (Add . . . , Add . . .))prop xlate
4 + (2 + 3) ≤ 5 + 6β-reduction
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Encoding Comparisons
Inductive definition of relations on natural expressions:
type prop = Le of expr * exprlet interp_prop p =
match p with| Le (x, y) ->
(interp_expr x) "<=" (interp_expr y)let eval_prop p =
match p with| Le (x, y) -> le (eval_expr x) (eval_expr y)
Proof of 4 + (2 + 3) ≤ 5 + 6:
true = true reflexivity
eval prop (Le (Add . . . , Add . . .)) = trueβ-reduction
interp prop (Le (Add . . . , Add . . .))prop xlate
4 + (2 + 3) ≤ 5 + 6β-reduction
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Some Formalizations of Arithmetic in Coq
Integers as lists of bits:polynomial equality, semi-decision of (Z,+,=, <).
Rational numbers and Bernstein polynomials:global optimization for Hales’ inequalities.
Dyadic numbers and intervals:verification of Gappa certificates.
Integers as binary trees of machine words:verification of Pocklington primality certificates.
Floating-point numbers and intervals:enclosures for expressions of elementary functions.
Real numbers as streams of integer words.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Some Formalizations of Arithmetic in Coq
Integers as lists of bits:polynomial equality, semi-decision of (Z,+,=, <).
Rational numbers and Bernstein polynomials:global optimization for Hales’ inequalities.
Dyadic numbers and intervals:verification of Gappa certificates.
Integers as binary trees of machine words:verification of Pocklington primality certificates.
Floating-point numbers and intervals:enclosures for expressions of elementary functions.
Real numbers as streams of integer words.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Some Formalizations of Arithmetic in Coq
Integers as lists of bits:polynomial equality, semi-decision of (Z,+,=, <).
Rational numbers and Bernstein polynomials:global optimization for Hales’ inequalities.
Dyadic numbers and intervals:verification of Gappa certificates.
Integers as binary trees of machine words:verification of Pocklington primality certificates.
Floating-point numbers and intervals:enclosures for expressions of elementary functions.
Real numbers as streams of integer words.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Some Formalizations of Arithmetic in Coq
Integers as lists of bits:polynomial equality, semi-decision of (Z,+,=, <).
Rational numbers and Bernstein polynomials:global optimization for Hales’ inequalities.
Dyadic numbers and intervals:verification of Gappa certificates.
Integers as binary trees of machine words:verification of Pocklington primality certificates.
Floating-point numbers and intervals:enclosures for expressions of elementary functions.
Real numbers as streams of integer words.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Some Formalizations of Arithmetic in Coq
Integers as lists of bits:polynomial equality, semi-decision of (Z,+,=, <).
Rational numbers and Bernstein polynomials:global optimization for Hales’ inequalities.
Dyadic numbers and intervals:verification of Gappa certificates.
Integers as binary trees of machine words:verification of Pocklington primality certificates.
Floating-point numbers and intervals:enclosures for expressions of elementary functions.
Real numbers as streams of integer words.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Some Formalizations of Arithmetic in Coq
Integers as lists of bits:polynomial equality, semi-decision of (Z,+,=, <).
Rational numbers and Bernstein polynomials:global optimization for Hales’ inequalities.
Dyadic numbers and intervals:verification of Gappa certificates.
Integers as binary trees of machine words:verification of Pocklington primality certificates.
Floating-point numbers and intervals:enclosures for expressions of elementary functions.
Real numbers as streams of integer words.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Enclosures for Expressions of Elementary Functions
Example:
∀x ∈ [2−20, 1],
∣∣∣∣x × (1− 10473 · 2−16 · x2)
sin x− 1
∣∣∣∣ ≤ 102 · 2−16.
Method: order-1 Taylor interval computations and bisection.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Enclosures for Expressions of Elementary Functions
Example:
∀x ∈ [2−20, 1],
∣∣∣∣x × (1− 10473 · 2−16 · x2)
sin x− 1
∣∣∣∣ ≤ 102 · 2−16.
Method: order-1 Taylor interval computations and bisection.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Interval Approaches: Relative Error of a Rounded Sine
Relative error between sin x and the binary32 Horner evaluationof a degree-3 polynomial for x ∈ [2−20, 1]:
1 Theorem rounded_sine :2 forall x y,3 y = rnd(x * rnd(1 - rnd(rnd(x*x) * (10473/65536)))) ->4 1/1048576 <= x <= 1 ->5 Rabs(y - sin x) <= 103 / 65536 * Rabs(sin x).6 Proof.7 intros.8 set (My := x * (1 - (x*x) * (10473/65536))).9 assert (Rabs(My - sin x) <= 102 / 65536 * Rabs(sin x)).
10 (∗ method e r r o r ∗)11 apply helper. admit.12 unfold My.13 abstract interval with14 (i_bisect_diff x, i_depth 40, i_nocheck).15 unfold My in H1.16 gappa. (∗ g l o b a l e r r o r ∗)17 Qed.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Interval Approaches: Square Root
Fully computational approach:
f ([u, u]) =
{ [5√u,4
√u]
if 0 ≤ u,⊥ otherwise.
Correctness lemma: ∀x ∈ [u, u],√
x ∈ f ([u, u]).
Oracle-based approach:
f ([u, u], [v , v ]) = 0 ≤ v ∧ u ≤ v2 ∧{
0 ≤ u if v ≤ 0v2 ≤ u otherwise.
Correctness lemma:∀x ∈ [u, u], f ([u, u], [v , v ]) = true ⇒
√x ∈ [v , v ].
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Interval Approaches: Square Root
Fully computational approach:
f ([u, u]) =
{ [5√u,4
√u]
if 0 ≤ u,⊥ otherwise.
Correctness lemma: ∀x ∈ [u, u],√
x ∈ f ([u, u]).
Oracle-based approach:
f ([u, u], [v , v ]) = 0 ≤ v ∧ u ≤ v2 ∧{
0 ≤ u if v ≤ 0v2 ≤ u otherwise.
Correctness lemma:∀x ∈ [u, u], f ([u, u], [v , v ]) = true ⇒
√x ∈ [v , v ].
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Computing with (Approximate) Reals: Issues
Decidability?
Semi-decidability?
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Reflection Formalizations
Computing with (Approximate) Reals: Issues
Decidability?
Semi-decidability?
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
Decision Procedures for Arithmetic Theories
1 Deductive program verification
2 Computing in a formal system
3 Decision procedures for arithmetic theoriesQuantifier eliminationTheory (C,+,×,=)Theory (Q,+,=, <)∀-formulas, ideals, and cones
4 Conclusion
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
Quantifier Elimination
Definition (Quantifier elimination)
A theory T in a first-order language L admits QE if,for any formula p ∈ L, there is a quantifier-free formula q ∈ Lsuch that T |= p ⇔ q and q has no other free variables than p.
Sufficient condition: any formula “∃x , α1 ∧ · · · ∧ αn” admits QE.
Property
A formula is decidable in a theory QE if it has no free variables.
Example on N: ∀x , 1 ≤ x ⇒ ∃y , y < x .
¬(∃x , 1 ≤ x ∧ ¬(∃y , y < x))
¬(∃x , 1 ≤ x ∧ ¬(0 < x))
¬(1 ≤ 0)
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
Quantifier Elimination
Definition (Quantifier elimination)
A theory T in a first-order language L admits QE if,for any formula p ∈ L, there is a quantifier-free formula q ∈ Lsuch that T |= p ⇔ q and q has no other free variables than p.
Sufficient condition: any formula “∃x , α1 ∧ · · · ∧ αn” admits QE.
Property
A formula is decidable in a theory QE if it has no free variables.
Example on N: ∀x , 1 ≤ x ⇒ ∃y , y < x .
¬(∃x , 1 ≤ x ∧ ¬(∃y , y < x))
¬(∃x , 1 ≤ x ∧ ¬(0 < x))
¬(1 ≤ 0)
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
Arithmetic Theories and Quantifier Elimination
Decidable theories:
(C,+,×,=) Tarski
(R,+,×,=, <) Collins, Hormander
(Q,+,=, <) Fourier, Motzkin
(Z,+,=, <) Presburger, Cooper
(Q,+, b·c,=, <) Weispfenning
Undecidable theory:
(Z,+,×,=, <) Tarski, Godel
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
Arithmetic Theories and Quantifier Elimination
Decidable theories:
(C,+,×,=) Tarski
(R,+,×,=, <) Collins, Hormander
(Q,+,=, <) Fourier, Motzkin
(Z,+,=, <) Presburger, Cooper
(Q,+, b·c,=, <) Weispfenning
Undecidable theory:
(Z,+,×,=, <) Tarski, Godel
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
Arithmetic Theories and Quantifier Elimination
Decidable theories:
(C,+,×,=) Tarski
(R,+,×,=, <) Collins, Hormander
(Q,+,=, <) Fourier, Motzkin
(Z,+,=, <) Presburger, Cooper
(Q,+, b·c,=, <) Weispfenning
Undecidable theory:
(Z,+,×,=, <) Tarski, Godel
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
Arithmetic Theories and Quantifier Elimination
Decidable theories:
(C,+,×,=) Tarski
(R,+,×,=, <) Collins, Hormander
(Q,+,=, <) Fourier, Motzkin
(Z,+,=, <) Presburger, Cooper
(Q,+, b·c,=, <) Weispfenning
Undecidable theory:
(Z,+,×,=, <) Tarski, Godel
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
Arithmetic Theories and Quantifier Elimination
Decidable theories:
(C,+,×,=) Tarski
(R,+,×,=, <) Collins, Hormander
(Q,+,=, <) Fourier, Motzkin
(Z,+,=, <) Presburger, Cooper
(Q,+, b·c,=, <) Weispfenning
Undecidable theory:
(Z,+,×,=, <) Tarski, Godel
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
Arithmetic Theories and Quantifier Elimination
Decidable theories:
(C,+,×,=) Tarski
(R,+,×,=, <) Collins, Hormander
(Q,+,=, <) Fourier, Motzkin
(Z,+,=, <) Presburger, Cooper
(Q,+, b·c,=, <) Weispfenning
Undecidable theory:
(Z,+,×,=, <) Tarski, Godel
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
Theory (C, +,×, =)
Given ∃x , p1(x) = 0 ∧ · · · ∧ pm(x) = 0 ∧ q1(x) 6= 0 ∧ · · · ∧ qn(x) 6= 0.
1 Reducing to ∃x , P(x) = 0 ∧ Q(x) 6= 0:
q1(x) 6= 0 ∧ · · · ∧ qn(x) 6= 0⇔ q1(x)× · · · × qn(x) 6= 0.
ck × pi (x) = pj(x)× q(x) + r(x), so
pi (x) = 0 ∧ pj(x) = 0⇔{
r(x) = 0 ∧ pj(x) = 0 if c 6= 0pi (x) = 0 ∧ p∗j (x) = 0 if c = 0
2 Cases:
(∃x , Q(x) 6= 0)⇔ ¬(coefs of Q are zero).(∃x , P(x) = 0)⇔ ¬(. . .)(∃x , P(x) 6= 0⇒ Q(x) 6= 0)⇔ ¬(P|xQn).
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
Theory (C, +,×, =)
Given ∃x , p1(x) = 0 ∧ · · · ∧ pm(x) = 0 ∧ q1(x) 6= 0 ∧ · · · ∧ qn(x) 6= 0.
1 Reducing to ∃x , P(x) = 0 ∧ Q(x) 6= 0:
q1(x) 6= 0 ∧ · · · ∧ qn(x) 6= 0⇔ q1(x)× · · · × qn(x) 6= 0.
ck × pi (x) = pj(x)× q(x) + r(x), so
pi (x) = 0 ∧ pj(x) = 0⇔{
r(x) = 0 ∧ pj(x) = 0 if c 6= 0pi (x) = 0 ∧ p∗j (x) = 0 if c = 0
2 Cases:
(∃x , Q(x) 6= 0)⇔ ¬(coefs of Q are zero).(∃x , P(x) = 0)⇔ ¬(. . .)(∃x , P(x) 6= 0⇒ Q(x) 6= 0)⇔ ¬(P|xQn).
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
Theory (C, +,×, =)
Given ∃x , p1(x) = 0 ∧ · · · ∧ pm(x) = 0 ∧ q1(x) 6= 0 ∧ · · · ∧ qn(x) 6= 0.
1 Reducing to ∃x , P(x) = 0 ∧ Q(x) 6= 0:
q1(x) 6= 0 ∧ · · · ∧ qn(x) 6= 0⇔ q1(x)× · · · × qn(x) 6= 0.
ck × pi (x) = pj(x)× q(x) + r(x), so
pi (x) = 0 ∧ pj(x) = 0⇔{
r(x) = 0 ∧ pj(x) = 0 if c 6= 0pi (x) = 0 ∧ p∗j (x) = 0 if c = 0
2 Cases:
(∃x , Q(x) 6= 0)⇔ ¬(coefs of Q are zero).(∃x , P(x) = 0)⇔ ¬(. . .)(∃x , P(x) 6= 0⇒ Q(x) 6= 0)⇔ ¬(P|xQn).
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
Theory (C, +,×, =)
Given ∃x , p1(x) = 0 ∧ · · · ∧ pm(x) = 0 ∧ q1(x) 6= 0 ∧ · · · ∧ qn(x) 6= 0.
1 Reducing to ∃x , P(x) = 0 ∧ Q(x) 6= 0:
q1(x) 6= 0 ∧ · · · ∧ qn(x) 6= 0⇔ q1(x)× · · · × qn(x) 6= 0.
ck × pi (x) = pj(x)× q(x) + r(x), so
pi (x) = 0 ∧ pj(x) = 0⇔{
r(x) = 0 ∧ pj(x) = 0 if c 6= 0pi (x) = 0 ∧ p∗j (x) = 0 if c = 0
2 Cases:
(∃x , Q(x) 6= 0)⇔ ¬(coefs of Q are zero).(∃x , P(x) = 0)⇔ ¬(. . .)
(∃x , P(x) 6= 0⇒ Q(x) 6= 0)⇔ ¬(P|xQn).
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
Theory (C, +,×, =)
Given ∃x , p1(x) = 0 ∧ · · · ∧ pm(x) = 0 ∧ q1(x) 6= 0 ∧ · · · ∧ qn(x) 6= 0.
1 Reducing to ∃x , P(x) = 0 ∧ Q(x) 6= 0:
q1(x) 6= 0 ∧ · · · ∧ qn(x) 6= 0⇔ q1(x)× · · · × qn(x) 6= 0.
ck × pi (x) = pj(x)× q(x) + r(x), so
pi (x) = 0 ∧ pj(x) = 0⇔{
r(x) = 0 ∧ pj(x) = 0 if c 6= 0pi (x) = 0 ∧ p∗j (x) = 0 if c = 0
2 Cases:
(∃x , Q(x) 6= 0)⇔ ¬(coefs of Q are zero).(∃x , P(x) = 0)⇔ ¬(. . .)(∃x , P(x) 6= 0⇒ Q(x) 6= 0)⇔ ¬(P|xQn).
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
Theory (Q, +, =, <)
Quantifier elimination of linear constraints:
(∃x , x = ~a · ~y ∧ P[x , ~y ])⇔ P[~a · ~y , ~y ].
(∃x ,∧
i x < ~ai · ~y ∧∧
j x > ~bj · ~y)⇔∧
i ,j 0 < (~ai − ~bj) · ~y .
Special case: closed ∃-formulas of conjunctions.Methods: simplex, interior point.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
Theory (Q, +, =, <)
Quantifier elimination of linear constraints:
(∃x , x = ~a · ~y ∧ P[x , ~y ])⇔ P[~a · ~y , ~y ].
(∃x ,∧
i x < ~ai · ~y ∧∧
j x > ~bj · ~y)⇔∧
i ,j 0 < (~ai − ~bj) · ~y .
Special case: closed ∃-formulas of conjunctions.Methods: simplex, interior point.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
Theory (Q, +, =, <)
Quantifier elimination of linear constraints:
(∃x , x = ~a · ~y ∧ P[x , ~y ])⇔ P[~a · ~y , ~y ].
(∃x ,∧
i x < ~ai · ~y ∧∧
j x > ~bj · ~y)⇔∧
i ,j 0 < (~ai − ~bj) · ~y .
Special case: closed ∃-formulas of conjunctions.Methods: simplex, interior point.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
∀-Formulas, Ideals, and Cones
On C: ∀~x ,∨
i pi (~x) 6= 0 ∨∨
j qj(~x) = 0. (F )
F ⇔ ∀~x~z , ¬(∧
i pi (~x) = 0 ∧∧
j zj × qj(~x)− 1 = 0)
F
⇔ 1 ∈ Ideal(· · · , pi , · · · , zj × qj − 1, · · · ).
On R: ∀~x , ¬(∧
i pi (~x) = 0 ∧∧
j qj(~x) ≥ 0)
. (F )
F ⇔ −1 ∈ Ideal(p1, · · · , pm) + Cone(q1, · · · , qn).
Methods: Grobner bases, semi-definite programming, . . .
Suitable for oracles: verifying ideal membership (⇐) is justa single polynomial equality.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
∀-Formulas, Ideals, and Cones
On C: ∀~x ,∨
i pi (~x) 6= 0 ∨∨
j qj(~x) = 0. (F )
F ⇔ ∀~x~z , ¬(∧
i pi (~x) = 0 ∧∧
j zj × qj(~x)− 1 = 0)
F
⇔ 1 ∈ Ideal(· · · , pi , · · · , zj × qj − 1, · · · ).
On R: ∀~x , ¬(∧
i pi (~x) = 0 ∧∧
j qj(~x) ≥ 0)
. (F )
F ⇔ −1 ∈ Ideal(p1, · · · , pm) + Cone(q1, · · · , qn).
Methods: Grobner bases, semi-definite programming, . . .
Suitable for oracles: verifying ideal membership (⇐) is justa single polynomial equality.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
∀-Formulas, Ideals, and Cones
On C: ∀~x ,∨
i pi (~x) 6= 0 ∨∨
j qj(~x) = 0. (F )
F ⇔ ∀~x~z , ¬(∧
i pi (~x) = 0 ∧∧
j zj × qj(~x)− 1 = 0)
F
⇔ 1 ∈ Ideal(· · · , pi , · · · , zj × qj − 1, · · · ).
On R: ∀~x , ¬(∧
i pi (~x) = 0 ∧∧
j qj(~x) ≥ 0)
. (F )
F ⇔ −1 ∈ Ideal(p1, · · · , pm) + Cone(q1, · · · , qn).
Methods: Grobner bases, semi-definite programming, . . .
Suitable for oracles: verifying ideal membership (⇐) is justa single polynomial equality.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
∀-Formulas, Ideals, and Cones
On C: ∀~x ,∨
i pi (~x) 6= 0 ∨∨
j qj(~x) = 0. (F )
F ⇔ ∀~x~z , ¬(∧
i pi (~x) = 0 ∧∧
j zj × qj(~x)− 1 = 0)
F
⇔ 1 ∈ Ideal(· · · , pi , · · · , zj × qj − 1, · · · ).
On R: ∀~x , ¬(∧
i pi (~x) = 0 ∧∧
j qj(~x) ≥ 0)
. (F )
F ⇔ −1 ∈ Ideal(p1, · · · , pm) + Cone(q1, · · · , qn).
Methods: Grobner bases, semi-definite programming, . . .
Suitable for oracles: verifying ideal membership (⇐) is justa single polynomial equality.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
∀-Formulas, Ideals, and Cones
On C: ∀~x ,∨
i pi (~x) 6= 0 ∨∨
j qj(~x) = 0. (F )
F ⇔ ∀~x~z , ¬(∧
i pi (~x) = 0 ∧∧
j zj × qj(~x)− 1 = 0)
F
⇔ 1 ∈ Ideal(· · · , pi , · · · , zj × qj − 1, · · · ).
On R: ∀~x , ¬(∧
i pi (~x) = 0 ∧∧
j qj(~x) ≥ 0)
. (F )
F ⇔ −1 ∈ Ideal(p1, · · · , pm) + Cone(q1, · · · , qn).
Methods: Grobner bases, semi-definite programming, . . .
Suitable for oracles: verifying ideal membership (⇐) is justa single polynomial equality.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures Quantifier elimination C Q Ideals
∀-Formulas, Ideals, and Cones
On C: ∀~x ,∨
i pi (~x) 6= 0 ∨∨
j qj(~x) = 0. (F )
F ⇔ ∀~x~z , ¬(∧
i pi (~x) = 0 ∧∧
j zj × qj(~x)− 1 = 0)
F
⇔ 1 ∈ Ideal(· · · , pi , · · · , zj × qj − 1, · · · ).
On R: ∀~x , ¬(∧
i pi (~x) = 0 ∧∧
j qj(~x) ≥ 0)
. (F )
F ⇔ −1 ∈ Ideal(p1, · · · , pm) + Cone(q1, · · · , qn).
Methods: Grobner bases, semi-definite programming, . . .
Suitable for oracles: verifying ideal membership (⇐) is justa single polynomial equality.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures
Conclusion
Deductive verification allows to certify arbitrary programs.
But proof obligations lack structure,making it difficult for automated provers.
Numerical computations are not incompatiblewith formal systems.
They can be used to prove mathematical theorems.
There are powerful but slow methods for provingsome large sets of proof obligations.
Oracle-based approaches can dramatically increaseperformances on specific subsets.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures
Conclusion
Deductive verification allows to certify arbitrary programs.
But proof obligations lack structure,making it difficult for automated provers.
Numerical computations are not incompatiblewith formal systems.
They can be used to prove mathematical theorems.
There are powerful but slow methods for provingsome large sets of proof obligations.
Oracle-based approaches can dramatically increaseperformances on specific subsets.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures
Conclusion
Deductive verification allows to certify arbitrary programs.
But proof obligations lack structure,making it difficult for automated provers.
Numerical computations are not incompatiblewith formal systems.
They can be used to prove mathematical theorems.
There are powerful but slow methods for provingsome large sets of proof obligations.
Oracle-based approaches can dramatically increaseperformances on specific subsets.
Guillaume Melquiond Numerical Computations and Formal Methods
Program verification Formal arithmetic Decision procedures
Questions?
Guillaume Melquiond Numerical Computations and Formal Methods